On Tue, Jul 30, 2002 at 01:25:55AM +0200, Michael Banck wrote:
> I guess nobody ever heard that, but last night somebody told me that
> KDE3 has *gasp* some new features, so it should definetely go in, too if
> you ask me.
However, there is no security risk here by not upgrading to the latest
version.
It is unlikely that the latest version will close of any new security
holes, because of the lack of new features. If there is a significant
security hole, chances are, it will be identified, and a fix will be
back ported to stable.
Quite the opposite situation though when you are looking at security
software that is designed to keep your system secure.
Take the recent ssh problems as an example. Would it be considered a
release critical bug in that you cannot run the new version of sshd
(which was put in woody at the last minute before release) on a SE-Linux
system (without disabling the chroot), because the old selinux policy[1]
does not allow it to run in a chroot?
Yes, extremely simple to fix manually, so it seems stupid to remove
SE-Linux for this reason, but why not just put the fix in the policy
in stable and save people the effort?
Maybe policy files need to be distributed seperately, outside of Debian,
same as with oav-update for virus signatures. It will never be possible
to keep it uptodate otherwise, as it potentially needs to be updated
whenever a new package enters the distribution.
Notes:
[1] For this discussion, lets assume that the policy need make it to
stable with the other selinux packages; in practise, it looks like it
didn't make it.
Which is bizare. The packages which could potentially break your system
(unlikely as it is) made it to stable, but the package which is very
unlikely to break your system (just data files, no executables) didn't
make it?
--
Brian May <bam@debian.org>
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org